vandmo
commented
2 years ago Hi!
It only has support for "Dependabot Security Alerts" and only if you have <format>pom</format>. What that means is that Dependabot will create security alerts even for transitive dependencies.
Unfortunately dependabot updates doesn't work with neither format. With the pom format dependabot will create pull requests for the lock file but since dependabot creates separate PRs for each change you would need to merge all PR before you are able to get a green build.
https://github.com/dependabot/dependabot-core/issues/1190 might make updates work if/when implemented.
It might also be possible to setup your own github action that would create its own PR with all combined dependabot PRs. Similar to https://blog.somewhatabstract.com/2021/10/11/setting-up-dependabot-with-github-actions-to-approve-and-merge/ but creating a new PR instead of approving them.
I will have a look at clarifying it in the documentation.
Have a good one!
Hi Mikael!
Could you please clarify the Dependabot support level. It is mentioned in the readme, that with XML format for package locks Dependabot Security Alerts for transitive dependencies will be enabled, however it is not clear will the Dependabot able to update the lock file itself.
The scenario is: We have dependabot running and finding jars that need updating; The problem is it only updates the pom.xml , but we also have a bunch of lock-versions.json files that also need corresponding updates;
Would be nice to have a note in README.md explaining whether it is possible to have locks updated by Dependabot or not.
Than you, have a good one